The portal vhost + forward-auth are now live on the main box Caddy. Align
the template with what was actually deployed:
- upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS
name), replacing the majikthise placeholder
- drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS
(no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443
SNI fan-out (tls-alpn-01) + :80 (http-01)
- forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the
Authelia 4.39 path; portal redirect comes from authelia_url in the yml
- note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this
Caddy's LE account is allowlisted (now done alongside Stalwart's)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the Authelia stack (compose, config, snippets, docs) out of the separate
/opt/authelia repo into authelia/, so the whole deployment shares ONE operator
.env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET,
TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is
a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore
folded in.
Run from the repo root: docker compose -f authelia/docker-compose.yml up -d
(or: cd authelia && docker compose up -d — the .env symlink makes it resolve).
The standalone /opt/authelia is left intact as a history archive; remove once
this is verified.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
